The triennial general assembly of the International Civil Aviation Organization (ICAO) is underway in Montreal for its first session since the outbreak of COVID-19, with speakers at its opening plenary last week including US Secretary of Transportation Pete Buttigieg.

It’s been many years since the US delegation to an ICAO meeting has included a Cabinet member. Secretary Buttigieg’s presence brought greater public attention than usual to the ICAO general assembly and related side events.  Unfortunately, news reports have focused on what Secretary Buttigieg said (mainly his comments about Taiwan) rather than on what ICAO is actually doing.

Despite its ostensibly limited role as a specialized international organization with a mandate to administer aviation treaties — a role which would make it logical for the US delegation to be headed by the Secretary of Transportation — police in the US and other ICAO members have coopted ICAO into functioning as a policy laundering venue for imposition of surveillance mandates on all travelers, whether or not they travel by air.

Rather than “faciliating” travel, ICAO’s Facilitation Programme is increasingly devoted to facilitating government control of travel. This includes a new ICAO standard, as discussed below, to enable global blackballing of travelers disfavored by any ICAO member country.

So far as we can tell, no representative of a data protection authority or a ministry primarily responsible for protection of human rights or civil liberties has been included in any country’s ICAO delegation or appointed to any ICAO technical working group.

But that hasn’t stopped ICAO from issuing mandates, under the purported authority of aviation treaties but directly contrary to human rights treaties, for the creation of a new surveillance and pre-crime profiling agency in every ICAO member, and for deployment and use of passports containing remotely-readable RFID chips.

ICAO’s lack of expertise in this non-aviation policy area makes it exceptionally vulnerable to capture — and indeed it has been entirely captured — by a malign convergence of interest between proponents of government  surveillance and control of travel and a travel industry which has been given a free ride for its shared use of government surveillance infrastructure and information for its own business process automation.

Here’s the bad news about what’s happening at ICAO with RFID passports:

As discussed at an online ICAO symposium on machine-readable travel documents that preceded the in-person assembly meeting, ICAO is considering requiring  all ICAO members (which include almost every country in the world) to include remotely-readable RFID chips in passports, through an amendment to Annex 9 to ICAO Document 9303.

[T]he ICBWG [ Implementation and Capacity Building Working Group] is working with the NTWG [New Technologies Working Group] to assess the impacts, benefits and challenges of mandating the issuance of electronic MRTDs (eMRTDs) in Annex 9. If eMRTDs were elevated to an Annex 9 standard, all ICAO Member States would be required under the Chicago Convention to issue eMRTDs (instead of MRTDs) by an agreed future date. Efforts are underway to engage States that have recently launched or have not yet launched eMRTDs, including passport issuing and border authorities, to contribute to this study in order to assess the pros and cons of a mandatory standard, and provide advice and options to the TAG-TRIP in 2023.

An “MRTD” includes a machine-readable line of type with the name, nationality, passport number, and validity dates in a font standardized for ease of optical character recognition. An “eMRTD” includes a much larger data set recorded on an RFID chip. RFID passports pose a much greater threat of data leakage and mission creep than the line of OCR type on an MRTD, and enable a much greater amount of travel surveillance and control.

Passports were originally thought of as identity documents, not travel logs. A passport might or might not contain records of visas, entries, exits. Countries that don’t want visitors stigmatized by other countries can, and some do, chose to issue visas as looseleaf documents or to record entries and exits on inserts separate from passports.

When RFID passports were introduced 15 years ago, the only standards for the data on the RFID chip were for identifying information about the passport holder and the issuing government. If any records of how, when, and where a passport was used were kept, they would have to be kept separately from the machine-readable info on or in the passport.

A block of address space on the RFID chip in each passport was reserved for future use for visas and travel logs, but there were no specifications for what data it might contain, or how it might be used.

That changed with the latest (8th) edition of the ICAO specifications, adopted in 2021:

The Eighth Edition of Doc 9303 incorporates the specifications for the optional Travel Records, Visa Records, and Additional Biometrics applications (known as LDS2 applications) as an extension of the mandatory eMRTD application (known as LDS1).

The new ICAO specifications provide a standardized format for converting the RFID chip on the passport from a digital identity token into into a digital surveillance record and travel log that each international traveler will be required to carry on their person.

The specification doesn’t use a blockchain, but does have some features in common with one. Electronic visas and entry and exit records, including variable-length free-text notes, can be appended to the data on the RFID chip, but can never be altered or deleted once entered. Each addition to the data set is digitally signed by the government responsible for the newly added data.

Whether to require digital recording of visas, entries, and exits is optional for each passport-issuing government. But governments of countries that a passport holder visits are required to record visas, entries, and exits in the RFID chip, if the country issuing the passport has indicated that this is mandatory.

This won’t be feasible until countries begin to deploy systems for reading these digital visas and writing travel logs to RFID passports. But the long-term implications of mandatory irrevocable digital travel logs are dire.

The most insidious feature of the new Logical Data Structure for travel records on passport RFID chips is the inclusion of variable-length free-text fields for the “results” of border  and airport inspections and for “conditions” imposed on the passport holder by any country they have visited.

That means that any country you visit can permanently and irrevocably enter allegations of attributes or acts, true or untrue, in your passport. Unless you get a new passport, ICAO rules will permit neither you nor the government of the country that issued your passport to  alter or expunge these free-form derogatory notations.

If, for whatever good or bad reasons, a country you visit wants to signal to other countries that it wants you to be given second-class treatment as “suspicious”, or that it wants you to be subjected to special restrictions, it can force you to convey that blackballing message to every country you subsequently visit by recording in the “travel record” in your passport that the “result of inspection” was that you were deemed suspicious (without needing to say why), or that you were subjected to special restrictions while in their country.

This stigmatizing information will become part of a permanent travel record that you are required to carry with you on the RFID chip in your passport and make available to the government of every other country you subsequently seek to enter.

The US government already issues specially-marked “scarlet letter” passports for certain disfavored travelers, in an effort to encourage other countries to deny them entry.  ICAO’s data structure for travel records on passport RFID chips would give every country in the world that power, with no possibility of redress and no substantive, procedural, or evidentiary standards with respect to the basis for blackballing any given traveler.

The proposal to make RFID chips a mandatory part of ICAO’s “aviation security” standards, on which this scheme depends, should be rejected. And freedom-loving travelers should continue to keep a close eye on ICAO for new threats to our freedom of movement.